Welcome to the Cisco Small Business Community

PixelProjects · ‎10-29-2013

Hi Peeps,

Wonder if you can shed some light on my issue before I loose all my hair!

I am attempting to create a VPN between a RV120W at a remote site and our ISA500W at our offices... I just cannot get it to connect!

I am setting up an IPsec tunnel between the sites but it just doesnt want to connect.

Remote site - RV120W

IKE Policy Table

Direction / type Both

Exchange Mode main

Encryption 3DES

Auth - SHA-1

DH Group 2

Auth Pre-Shared Key

SA-Lifetime 28800

Xauth None

VPN

Policy Type Auto Policy

Remote Endpoint IP Address

Local IP Subnet

Remote IP Subnet

Auto Policy Parameters

SA-Lifetime 3600 Seconds

Encryption Algorithm 3DES

Integrity Algorithm SHA-1

PFS Key Group Enable

DH-Group 2 (1024 bit)

Head office - ISA550W

IPsec Policy

Remote Type Static IP

Auth Type Pre-Shared Key

Local ID (empty)

Remote ID (empty)

IKE

Hash SHA1

Pre-shared Key

D0H Group Group2 (1024 bits)

Lifetime 8 hours

Transform

integrity ESP_MD5_HMAC

Encryption ESP_3DES

Errors i am getting in the Logs

Remote RV120W (note!!!! i have changed the external IP's to protect the innocents!!)

2013-10-29 14:39:20: [rv120w][IKE] INFO: Responding to new phase 2 negotiation: 69.193.0.0[0]<=>80.4.0.0[0]

2013-10-29 14:39:20: [rv120w][IKE] INFO: Using IPsec SA configuration: 192.168.3.0/24<->192.168.1.0/24

2013-10-29 14:39:20: [rv120w][IKE] INFO: Adjusting peer's encmode 3(3)->Tunnel(1)

2013-10-29 14:39:20: [rv120w][IKE] WARNING: Peer's Proposal:

2013-10-29 14:39:20: [rv120w][IKE] WARNING: (proto_id=ESP spisize=4 spi=8846693d spi_p=00000000 encmode=Tunnel reqid=0:0)

2013-10-29 14:39:20: [rv120w][IKE] WARNING: (trns_id=3DES encklen=0 authtype=hmac-md5)

2013-10-29 14:39:20: [rv120w][IKE] WARNING: Local Proposal:

2013-10-29 14:39:20: [rv120w][IKE] WARNING: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=5:5)

2013-10-29 14:39:20: [rv120w][IKE] WARNING: (trns_id=3DES encklen=0 authtype=hmac-sha)

2013-10-29 14:39:20: [rv120w][IKE] WARNING: Phase 2 proposal by 80.4.0.0[0] did not match.

2013-10-29 14:39:20: [rv120w][IKE] ERROR: No suitable policy found for 80.4.0.0[0]

2013-10-29 14:39:20: [rv120w][IKE] INFO: Sending Informational Exchange: notify payload[NO-PROPOSAL-CHOSEN]

2013-10-29 14:39:20: [rv120w][IKE] INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=c8d68f74af9dfa9a:b4137fd6e0666914.

2013-10-29 14:39:29: [rv120w][IKE] INFO: accept a request to establish IKE-SA: 80.4.0.0

2013-10-29 14:39:29: [rv120w][IKE] INFO: Configuration found for 80.4.0.0

2013-10-29 14:39:29: [rv120w][IKE] INFO: Initiating new phase 1 negotiation: 69.193.0.0[500]<=>80.4.0.0[500]

2013-10-29 14:39:29: [rv120w][IKE] INFO: Beginning Identity Protection mode.

2013-10-29 14:39:29: [rv120w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3

2013-10-29 14:39:29: [rv120w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 4

2013-10-29 14:39:29: [rv120w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 8

2013-10-29 14:39:29: [rv120w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 9

2013-10-29 14:39:30: [rv120w][IKE] INFO: Received unknown Vendor ID

2013-10-29 14:39:30: [rv120w][IKE] INFO: Received Vendor ID: DPD

2013-10-29 14:39:30: [rv120w][IKE] INFO: Received Vendor ID: RFC 3947

2013-10-29 14:39:30: [rv120w][IKE] INFO: For 80.4.0.0[500], Selected NAT-T version: RFC 3947

2013-10-29 14:39:30: [rv120w][IKE] INFO: NAT-D payload matches for 69.193.0.0[500]

2013-10-29 14:39:30: [rv120w][IKE] INFO: NAT-D payload does not match for 80.4.0.0[500]

2013-10-29 14:39:30: [rv120w][IKE] INFO: NAT detected: PEER

2013-10-29 14:39:30: [rv120w][IKE] INFO: for debugging :: changing ports2013-10-29 14:39:30: [rv120w][IKE] INFO: port changed !!

2013-10-29 14:39:30: [rv120w][IKE] INFO: Received unknown Vendor ID

2013-10-29 14:39:30: [rv120w][IKE] INFO: ISAKMP-SA established for 69.193.0.0[4500]-80.4.0.0[4500] with spi:740e6a59f02eca3a:820460c448a5b74b

2013-10-29 14:39:30: [rv120w][IKE] INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]

2013-10-29 14:39:31: [rv120w][IKE] INFO: Initiating new phase 2 negotiation: 69.193.0.0[500]<=>80.4.0.0[0]

2013-10-29 14:39:31: [rv120w][IKE] INFO: Adjusting encryption mode to use UDP encapsulation

2013-10-29 14:39:31: [rv120w][IKE] ERROR: Unknown notify message from 80.4.0.0[4500].No phase2 handle found.

2013-10-29 14:39:41: [rv120w][IKE] ERROR: Unknown notify message from 80.4.0.0[4500].No phase2 handle found.

2013-10-29 14:39:51: [rv120w][IKE] ERROR: Unknown notify message from 80.4.0.0[4500].No phase2 handle found.

2013-10-29 14:40:01: [rv120w][IKE] ERROR: Unknown notify message from 80.4.0.0[4500].No phase2 handle found.

2013-10-29 14:40:02: [rv120w][IKE] ERROR: Phase 2 negotiation failed due to time up. c8d68f74af9dfa9a:b4137fd6e0666914:f6cdeead

2013-10-29 14:40:02: [rv120w][IKE] INFO: an undead schedule has been deleted: 'quick_i1prep'.

Head office ISA550

2013-10-29 15:25:29 - Warning - IPsec VPN: msg="PixelNY" #4765: Quick mode retry fail, please Check if local IKE/Transform/PFS are the same as remote site; (pluto)

2013-10-29 15:25:29 - Warning - IPsec VPN: msg="PixelNY" #4765: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message; (pluto)

2013-10-29 15:22:38 - Warning - IPsec VPN: msg="PixelNY" #4763: Quick mode retry fail, please Check if local IKE/Transform/PFS are the same as remote site; (pluto)

2013-10-29 15:22:38 - Warning - IPsec VPN: msg="PixelNY" #4763: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message; (pluto)

2013-10-29 15:20:28 - Warning - IPsec VPN: msg="PixelNY" #4761: Quick mode retry fail, please Check if local IKE/Transform/PFS are the same as remote site; (pluto)

2013-10-29 15:20:28 - Warning - IPsec VPN: msg="PixelNY" #4761: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message; (pluto)

2013-10-29 15:20:12 - Warning - Firewall: type=ACL

If anyone could shed some light that would be fantastic!!

SHAWN EFTINK · ‎10-29-2013

Based on the configuration items you've listed, this is what I'm seeing. The Transforms don't match between the ISA and the RV. Either change the RV Integrity to MD5 or change the ISA Transform Set to SHA1. I'd recommend changing the ISA to SHA1As well, you didn't mention what the ISA IKE Policy Encryption is, but it's 3DES in the RV so you'll need to ensure it's 3DES in the ISA. Also note that you're SA lifetimes don't match. Technically that should be ok, but it really is a best practice to have them match as well. The ISA is 8 Hours and the RV is 1 Hour (3600 seconds)

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

View solution in original post

SHAWN EFTINK · ‎10-29-2013

You stated that PFS is enabled in the RV. Is it also enabled on the ISA?

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

PixelProjects · ‎10-29-2013

The ISA had it disabled. I have enabled and tried to connect but still no-go

SHAWN EFTINK · ‎10-29-2013

Based on the configuration items you've listed, this is what I'm seeing. The Transforms don't match between the ISA and the RV. Either change the RV Integrity to MD5 or change the ISA Transform Set to SHA1. I'd recommend changing the ISA to SHA1As well, you didn't mention what the ISA IKE Policy Encryption is, but it's 3DES in the RV so you'll need to ensure it's 3DES in the ISA. Also note that you're SA lifetimes don't match. Technically that should be ok, but it really is a best practice to have them match as well. The ISA is 8 Hours and the RV is 1 Hour (3600 seconds)

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

View solution in original post

PixelProjects · ‎10-29-2013

Hi Shawn,

Thank you for looking into this!

Transport set has now been changed on the ISA to :-

ESP

Integrity: ESP_SHA1_HMAC

Encryption ESP_3DES

Info was above I just didnt highlight it very well, apologies!

I have also changed the ISA's SA lifetimes to 1 houtr to match.

Still not connecting.

2013-10-29 18:01:04 Warning IPsec VPN msg="PixelNY" #4895: starting keying attempt 2 of at most 3, but releasing whack;

2013-10-29 18:01:04 Warning IPsec VPN msg="PixelNY" #4895: Quick mode retry fail, please Check if local IKE/Transform/PFS are the same as remote site;

2013-10-29 18:01:04 Warning IPsec VPN msg="PixelNY" #4895: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message;

2013-10-29 17:59:11 Warning IPsec VPN msg="NJL" #4893: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=&gt0x10273401 &lt0x88466959 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=enabled};

SHAWN EFTINK · ‎10-29-2013

John,

It's now showing the Transform set as AES_256. Please check that the Integrity is set to ESP_SHA1_HMAC and the Encryption is set to ESP_3DES on both devices.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

PixelProjects · ‎10-30-2013

Hi Shawn,

I have checked the Transform sets and they match as far as i can see.

On the RV120W i'm getting these errors over and over

2013-10-30 08:24:51: [rv120w][IKE] ERROR: Could not find configuration for 80.4.0.0[500] (last 2 octects changed to 0's for security)

If I try and initiate connection from RV120W I get these logs on the ISA

2013-10-30 17:55:00 - Warning - IPsec VPN: msg="PixelNY" #6747: Quick mode retry fail, please Check if local IKE/Transform/PFS are the same as remote site; (pluto)

2013-10-30 17:55:00 - Warning - IPsec VPN: msg="PixelNY" #6747: max number of retransmissions (2) reached STATE_MAIN_R2; (pluto)

2013-10-30 17:54:52 - Warning - IPsec VPN: msg="PixelNY" #6748: STATE_MAIN_R2: sent MR2, expecting MI3; (pluto)

2013-10-30 17:54:52 - Warning - IPsec VPN: msg="PixelNY" #6748: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed; (pluto)

2013-10-30 17:54:52 - Warning - IPsec VPN: msg="PixelNY" #6748: ignoring Vendor ID payload [KAME/racoon]; (pluto)

2013-10-30 17:54:51 - Warning - IPsec VPN: msg="PixelNY" #6748: STATE_MAIN_R1: sent MR1, expecting MI2; (pluto)

2013-10-30 17:54:51 - Warning - IPsec VPN: msg=packet from 69.193.0.0:500: received Vendor ID payload [Dead Peer Detection]; (pluto)

2013-10-30 17:54:51 - Warning - IPsec VPN: msg=packet from 69.193.0.0:500: received Vendor ID payload [RFC 3947] method set to=109 ; (pluto)

2013-10-30 17:54:51 - Warning - IPsec VPN: msg=packet from 69.193.0.0:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 ; (pluto)

2013-10-30 17:54:51 - Warning - IPsec VPN: msg=packet from 69.193.0.0:500: ignoring unknown Vendor ID payload [810fa565f8ab14369105d706fbd57279]; (pluto)

2013-10-30 17:53:50 - Warning - IPsec VPN: msg="PixelNY" #6747: STATE_MAIN_R2: sent MR2, expecting MI3; (pluto)

2013-10-30 17:53:50 - Warning - IPsec VPN: msg="PixelNY" #6747: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed; (pluto)

2013-10-30 17:53:50 - Warning - IPsec VPN: msg="PixelNY" #6747: ignoring Vendor ID payload [KAME/racoon]; (pluto)

2013-10-30 17:53:49 - Warning - IPsec VPN: msg="PixelNY" #6747: STATE_MAIN_R1: sent MR1, expecting MI2; (pluto)

2013-10-30 17:53:49 - Warning - IPsec VPN: msg=packet from 69.193.0.0:500: received Vendor ID payload [Dead Peer Detection]; (pluto)

2013-10-30 17:53:49 - Warning - IPsec VPN: msg=packet from 69.193.0.0:500: received Vendor ID payload [RFC 3947] method set to=109 ; (pluto)

2013-10-30 17:53:49 - Warning - IPsec VPN: msg=packet from 69.193.0.0:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 ; (pluto)

And these in the informational message

2013-10-30 17:55:50 - Warning - IPsec VPN: msg="PixelNY" #6749: received and ignored informational message; (pluto)

2013-10-30 17:55:50 - Warning - IPsec VPN: msg="PixelNY" #6749: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x88466974) not found (maybe expired); (pluto)

2013-10-30 17:55:50 - Warning - IPsec VPN: msg="PixelNY" #6749: received Delete SA(0x061f07be) payload: deleting IPSEC State #6750; (pluto)

2013-10-30 17:55:50 - Warning - IPsec VPN: msg="PixelNY" #6749: receive delete state Tunnel1 999 6750; (pluto)

2013-10-30 17:55:50 - Warning - IPsec VPN: msg="PixelNY" #6751: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x0cd10ebd <0x88466975 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}; (pluto)

2013-10-30 17:55:50 - Info - IPsec VPN: msg="PixelNY" #6751: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2; (pluto)

2013-10-30 17:55:50 - Info - IPsec VPN: msg="PixelNY" #6751: Dead Peer Detection (RFC 3706): enabled; (pluto)

2013-10-30 17:55:49 - Warning - IPsec VPN: msg="PixelNY" #6751: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2; (pluto)

2013-10-30 17:55:49 - Info - IPsec VPN: msg="PixelNY" #6751: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1; (pluto)

2013-10-30 17:55:49 - Info - IPsec VPN: msg="PixelNY" #6751: [setup_half_ipsec_sa:1908] c->name(Tunnel1), d1(192.168.3.0/24), instance_serial (0), s1(192.168.1.0/24)...; (pluto)

2013-10-30 17:55:49 - Info - IPsec VPN: msg="PixelNY" #6751: keeping refhim=589 during rekey; (pluto)

2013-10-30 17:55:49 - Info - IPsec VPN: msg="PixelNY" #6751: them: 69.193.160.238<69.193.160.238>[+S=C]===192.168.3.0/24; (pluto)

2013-10-30 17:55:49 - Info - IPsec VPN: msg="PixelNY" #6751: us: 192.168.1.0/24===10.20.0.0<10.20.0.0>[+S=C]---10.20.0.1; (pluto)

2013-10-30 17:55:49 - Info - IPsec VPN: msg="PixelNY" #6751: responding to Quick Mode proposal {msgid:90d265bf}; (pluto)

2013-10-30 17:55:49 - Info - IPsec VPN: msg="PixelNY" #6751: the peer proposed: 192.168.1.0/24:0/0 -> 192.168.3.0/24:0/0; (pluto)

2013-10-30 17:55:49 - Info - IPsec VPN: msg="PixelNY" #6749: the peer proposed: 192.168.1.0/24:0/0 -> 192.168.3.0/24:0/0; (pluto)

2013-10-30 17:55:49 - Warning - IPsec VPN: msg="PixelNY" #6750: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x061f07be <0x88466974 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}; (pluto)

2013-10-30 17:55:44 - Info - IPsec VPN: msg="PixelNY" #6750: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2; (pluto)

2013-10-30 17:55:44 - Info - IPsec VPN: msg="PixelNY" #6750: Dead Peer Detection (RFC 3706): enabled; (pluto

PixelProjects · ‎10-30-2013

Shawn.....

Just after I sent that message it just started working!!!

SHAWN EFTINK · ‎10-30-2013

Fantastic!!!

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

PixelProjects · ‎11-01-2013

Shawn,

Thank you so much for your help, i shall mark one of your reponses as correct answer as hopefully it will point someone else in the right direction.

I have rebooted both units and tunnel comes back up fine so I am happy with that!

Regards and thanks

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

Get the latest news in this issue of the Cisco Small Business Monthly Newsletter

Discover Small Business Solutions

Small Business Announcements

Helpful Small Business Resources

Connect with Others and Cisco

Review Small Business Products ($25 gift card)

VPN between RV120W and ISA550W